Key developments
Canvas breach disrupts schools during finals week
Reporting from The New York Times, ABC13 Houston and the Los Angeles Times says Instructure’s Canvas learning platform was pushed into maintenance mode on May 7 after the company disclosed a cybersecurity incident on May 1 and ShinyHunters began extortion messaging. Schools and universities reported outages and login blocks during finals, while Instructure said affected records included names, email addresses, student ID numbers and Canvas messages, not passwords, government IDs or financial data. Hackers claimed access to data from nearly 9,000 schools and more than 275 million people, but that figure remains unverified.
Why it matters
Student and staff records at thousands of schools create broad notification and phishing exposure during a sensitive academic period.
Sources & driving stories
THE NEW YORK TIMES
The New York Times coverageABC13 HOUSTON
ABC13 Houston coverageLOS ANGELES TIMES
Los Angeles Times coverageMissouri probes Conduent breach exposing health data
St. Joseph Post reported that Missouri Department of Commerce and Insurance Director Angela Nelson is investigating a Conduent breach that apparently exposed names, addresses, Social Security numbers and health care data. Nelson said the incident appears to span fall 2024 through January 2025, and public reports estimate roughly 25 million Americans may have been affected. Conduent has sent notification letters and identity-theft tips, while Missouri officials are still trying to determine how many residents were hit and urging checks of credit reports and insurance statements.
Why it matters
A breach combining SSNs and health data can drive identity theft, fraud and medical-claim misuse across a large population.
Sources & driving stories
ST JOSEPH POST
St Joseph Post coverageZara breach exposed 197,400 customer records
BleepingComputer's Sergiu Gatlan reported that Have I Been Pwned analyzed data from Zara's unauthorized access incident and found exposure affecting 197,400 people. Inditex said the compromised databases were hosted by a former technology provider, that names, phone numbers, addresses, credentials and payment data were not accessed, and that operations were unaffected. The recovered data included unique email addresses, locations, purchases and support-ticket metadata, and ShinyHunters later claimed responsibility for a 140GB archive taken from BigQuery.
Why it matters
Even without payment data, the exposed records can fuel targeted phishing and account takeover attempts.
Sources & driving stories
BLEEPINGCOMPUTER · Sergiu Gatlan
BleepingComputer coverageWorth noting
WORTH NOTING
Horizon Media breach exposed SSNs
Federman & Sherwood's Caroline Chesher says a Maine-notified incident at Horizon Media involved copied files with names and Social Security numbers and includes 24 months of monitoring.
WORTH NOTING
ShinyHunters tied to SaaS vishing
BleepingComputer says the Zara incident is linked to a wider voice-phishing campaign against employees and outsourced agents, suggesting a repeatable access method beyond one retailer.
Still unclear
OPEN QUESTION
How many Missourians were exposed?
Officials still have not quantified local impact from the Conduent breach, which determines notice and fraud-monitoring scope.
OPEN QUESTION
What is the verified Canvas count?
Schools are acting on hacker claims and vendor disclosures that diverge widely, so the confirmed number will shape follow-up notices.